Thx for the heads up, Stem. I think it was a very wise move on their part to offer a freebie. It should serve to make folks more aware of them and the product's considerable abilities._________________-

OK IMO it isn't a matter of quality when comparing those two products. SSM is just more robust. It has been in dev for many years. I tend to think SSM users want more understanding and control of how they are protected. Both are great tools.

As a SOHO admin, my personal choice is AbtrusionProtector.

BTW There are also several other good tools for process filtering around.

For those who don't yet know;
'Why do I need this layer in my defenses? Because you can't be infected if the infection can't initiate.'_________________-

I've been using the licensed version of PG for a couple of years now and swear by it.

Nope but if it ain't broke i would'nt try fixin it

Mikey here's one to pick ya wisdom

Quote:

Because you can't be infected if the infection can't initiate.'

Ok with that and taking the number of tweaks out of the equation do the likes of PG free version or Winsonar or AP free not have the bases covered since they all need configuring(rule granted etc) for unknown executables to initiate ?

If this is the case then are not all the other functions just windowdressing/g33k fodder _________________Malware hunter....Got Bot ?

I have full licence for both PG and SSM.
PG is an excellent product, I used it for quite a while, but found SSM has more options (parent=>child / driver loading per app etc) and a wider range of protection.

I have full licence for both PG and SSM.
PG is an excellent product, I used it for quite a while, but found SSM has more options (parent=>child / driver loading per app etc) and a wider range of protection.

I decided to give SSM a try....and you're right about the options, I like the wider range of control.

I've now given PG the boot.

I suppose I could go to SSM's site and look but what are the advantages of the licensed version compared to the free version?_________________DYSLEXIC'S UNTIE!

Hi bob30880,
Really, at this time, the advantage of the "Full Version" is "NT Services Installation and State Change (significantly improved)" the adding of "Low level disk access" protection (killdisk), and the upgrade of the "registry protection", which is now a "registry monitor" (I would describe this as a "Registry firewall", as there are registry application rules that can be entered (registry rules per application)).

* now all executable files (PE) are signed with the System Safety Limited software publisher certificate;
NOTE: Windows 9x users may not be able to verify the digital signature due to the absence of the appropriate cryptographic provider.

Ok with that and taking the number of tweaks out of the equation do the likes of PG free version or Winsonar or AP free not have the bases covered since they all need configuring(rule granted etc) for unknown executables to initiate ?

If this is the case then are not all the other functions just windowdressing/g33k fodder

Windowdressing? No, I don't think so. While it is true that process filtering will stop the initiation and thereby the infection, it still isn't the end of the story. I've been working on a piece that I just don't seem to find time to finish. The draft may explain my thinking better than a post; http://www.voiceofthepublic.com/firewalling/firewalling.html

They can give the concept of firewalling all kinds of new names like HIPS or whatever the current catch phrase is now but it's still the same concepts & things we've known for many years.

It really makes me angry that so many years have been WASTED on obsoletion by the money grubbing anti-malware industry that has sold out users for a buck._________________-

It really makes me angry that so many years have been WASTED on obsoletion...

Since PG is already a part of this thread, I would mention that Wayne from DCS explained that the popular TDS being discontinued and the advent of PG are both related to the obsoletion and perpetual signature dev of malware scanners.

I believe they were the first malware scanning outfit to publically denounce the flawed and obsolete concept. Tho they definitely have not been as long into firewalling as some of the other outfits, they make a good show. Others are starting to catch on too. Perhaps things are finally starting to change._________________-

Ok i said i would'nt thread hijack but after the last post it seems that PG is very much part of this thread so i'll take that back.

Ok's Mikey and other learned members following or posting on this topic your wisdom is required since i am still learning and maybe not a 100% correct in my interpretations

1st point

SSM offers more tweaks(control points/checks) than PG,all good if you have the sans to understand them but PG is more user freindly to someone new to process filtering/control ?

2nd point and this comes from my own experience(using PG free version)whilst collecting/testing malware and not from any POC's or proven code and is with reguards process filtering/control on code execution and specific to any software that ensnares this modis operandi.

I have yet after visiting hundreds of exploit laiden urls,activeX downloads,archived malware launching from CD or PC hard drive encountered one instance where the execution protection of PG has not captured and foiled by my instruction the malware attempt to execute by alerting to it

I have yet to find installers that can drop global hooks,load drivers or DLL inject without the initial code being allowed to execute.
With that i admit i am a hobbyist and no expert so beyond POC's that i have not encountered am i correct in assuming that if code is prevented from executing all/any of its effects are nullified ?

If it cannot execute,it cannot deploy and infect ?

Mikey this is what i was referring to the rest of the check points being g33k fodder(ie PG free versus PG paid)

With that how important is execution protection to a layered and effective security approach _________________Malware hunter....Got Bot ?

With that how important is execution protection to a layered and effective security approach

It's becoming more important all the time. I assume you've seen the viruses that kill AVs and firewalls. If one of these wasn't detected by the AV and was allowed to execute, there might not be much of a security system left. We've already seen one example of a high speed virus that can spread over the entire net in a very short time. Sooner or later, someone is going to combine those two and use it to strike down the "more typical" security packages used by most PCs, then follow it with something worse. I'm suprised something like that hasn't already happened. With the average security system still hopelessly reliant on signatures, definitions, or reference files, the PCs relying on those apps would have no chance. I wholly expect to see the day that the internet, and the millions upon millions of hopelessly vulnerable, underprotected Winows PCs that are connected to it 24/7, get harnessed as a weapon of war or terrorism.
IMO, application firewalling has to be at the core of a security package, not just viewed as a layer. Signature based software needs to be relegated to a secondary role like file and e-mail scanning. It's just not fast or reliable enough against modern threats.

Quote:

I would mention that Wayne from DCS explained that the popular TDS being discontinued and the advent of PG are both related to the obsoletion and perpetual signature dev of malware scanners.
I believe they were the first malware scanning outfit to publically denounce the flawed and obsolete concept....
Perhaps things are finally starting to change.

I'd like to think so. On the other hand, we have M$ getting into the anti-spyware business and now, into antivirus as well. I can't imagine them doing any better with this than they did with a firewall. IMO, when M$ decides to enter, and eventually control a market, AV/AS in this instance, it's past time to move to something better, like HIPS, application firewalling, process control, or whatever the particular vendor wants to call it. As for which one to use or which is better, they're all getting better pretty quickly. Which is best will end up depending on who released a new version last. SSM has very much impressed me with the rate they're developing and improving this program and how fast they respond to bugs and feature requests. That aside, the degree of configurability and the control that gives would make them my choice, even if all the others worked on Win98 as well.
Rick

but PG is more user freindly to someone new to process filtering/control ?

That was once true but I don't really think there is much diff in the user friendliness now. Have you looked at SSM lately? SSM has many friendly features now including the 'learning mode'. It also gives very friendly and informative alerts. Additionally, all the many venues for gaining information are explained for easy use. One such venue is the 'full log'; http://www.voiceofthepublic.com/RenderedLogs/2006_7_12.HOME@Administrator.ssm.xml

Quote:

I have yet to find installers that can drop global hooks,load drivers or DLL inject without the initial code being allowed to execute.

Your comments make me think that you think process control is the 'be all...end all' of security. Well, reg manipulation and injections are definitely a reality for a process that is given permissions. But for the most part, you are quite right. As Rick said, "application firewalling has to be at the core of a security package".

In this regard, it makes me no diff which product users decide on, as long as it does the job. The ones mentioned here do. Since there are free versions of most of the process firewalls, users are good to leisurely try each for comfort level & ability.

Your comments make me think that you think process control is the 'be all...end all' of security

Not the info i ment to convey,more like i consider it to be very important(Core) software in my layered security model.
If i thought it was the mythical silver bullet then i would'nt have Winpatrol & kerio FW giving additional layers....

I've been using the licensed version of PG for a couple of years now and swear by it.

Simply ProcessGuard offers protection at the kernel-mode level , SSM protects at user-mode level , or did last I used it. Although SSM has a lot more options , nothing I've tested has ever gotten past PG on its own so far.

Looks like safemon.sys has about 200 + kernel hooks. The current free version is really a lot better experience than the last version I tried , I almost gave up on it forever. I'm actually liking it again.

Technically speaking, the higher the load, the more control you have over the entire sys. However, IMO, it doesn't really matter much as all of these products will stop any foriegn initiation and thereby stopping any infection dead.

All three of the products mentioned in this thread are now simple enough for any user to learn and there is no excuse for anyone to ever suffer any unwanted ware ever again.

If a user combines a little content filtering along with this process filtering, he should not even ever need see anything unwanted. For example, the only time I ever see a third party ad is when I drop my shields in order to see/study raw source.

============

As noted in that LoadOrder report, I've tried doing simultaneous comparisons but found the results conflicting. I found a better comparison by using event snapshots to capture identical routines on separate appliances._________________-

As noted in that LoadOrder report, I've tried doing simultaneous comparisons but found the results conflicting. I found a better comparison by using event snapshots to capture identical routines on separate appliances.

A bit OT but for those who might be technically inclined can easily monitor the routines in real time. I use a multitude of monitors when studying any routine. The monitoring tools from Sysinternals are quite handy. FileMon and RegMon are great to monitor the calls. Also, TDImon is great for studying the loopback. Also, a user can run the processs thru his fav debug profiler like Olly or DependencyWalker. Additionally, I also like to make sys change snapshots using InCtrl5(follows a reboot) and InstallSpy. All of these monitoring tools can run simultaneously durring the run of a routine in a tool being benchmarked or studied and will give a pretty accurate picture of exactly what happens and most are timestamped for easy comparison. Most are freewares. You really don't have to be a coder or an analyst in order to see for yourself whether a tool is doing what it claims to be doing.